how to return token from graphql mutation

This is my code of mutation in which i use the type of User which has name,email,password and i make two mutations for the register the user and login the user. I have searched all the docs about the graphql and read all the blogs related to authentication but can't got the answer to return the token from the mutation

The reason is that UserType is a return type of the mutation, so it's "public", and maybe we should not send a password to public(as we are authenticating on the server side), but JWT is public, so we can send it back.

And in your login mutation add the token into the user object, something like:

I am implementing a system where the user can invoke authorization through a third party system. The authentication can take a long time to finish. What happens is that a user has to open an app on his phone and then enter a code.

From the API perspective, right now, the flow looks like this:

Request:

POST /login

body: { "user": "alice" }

Response: (after 10-20 seconds)

body: { "status": "success", "token": "valid.jwt.token" }

The thing is, the front-end client has to keep the connection open for a long time and it seems like an anti-pattern for me. The connection is open for 10-20 seconds.

What I wanted to do is change the way it works and do it like this instead:

Request:

POST /login

body: { "user": "alice" }

Response: (instant)

body: { "uuid": "auth_request_id", }

And then the user would poll a GET /auth/{auth_request_id} endpoint that would respond with the CURRENT state of the authentication.

So for example, this is how the response would look like before the user opened the phone auth app.

I have researched the topic online and came across OAuth 2 and all the other standards but they do not fit my use case.

The reason is that the user will stay on the page where the log-in form is and perform no redirects at all. Then he will open another device (phone) where he will perform 2 factor authentication.

I want to dynamically show the user the state of his authorization. For example, if the user didn't open the app yet, I want to tell him to do so. Additionally, I want to increase the resiliency of the log-in system by getting rid of the long lasting HTTPS connection. With this polling solution, if one api server goes down, another one will respond and take over based on the request UUID.

The only problem I have is knowing whether a set-up like that is secure. I understand if someone would steal the uuid of and start polling the GET /login/{uuid} endpoint, they could in theory steal the final JWT token.

How would I design this flow instead so it is safe? Or is this design safe for authentication?

In the end, if someone steals your cookies or JWT, they'd have your authentication details anyway - so maybe this cannot be protected against.

Note: Assume that the traffic will ALWAYS happen over HTTPS so the UUID cannot be stolen by network packet capture.

I am working in Apollo, GraphQL and Nuxtjs project, when setting up Apollo configuration I got this Warning:

link.js:38 Error: You are calling concat on a terminating link, which will have no effect
at new LinkError (linkUtils.js:41)
at concat (link.js:38)
at ApolloLink.webpackJsonp../node_modules/apollo-link/lib/link.js.ApolloLink.concat (link.js:65)
at link.js:13
at Array.reduce (<anonymous>)
at from (link.js:13)
at createApolloClient (index.js:58)
at webpackJsonp../.nuxt/apollo-module.js.__webpack_exports__.a (apollo-module.js:66)
at _callee2$ (index.js:140)
at tryCatch (runtime.js:62)